 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_ctl.c,v 1.12.2.5 2012/11/18 22:38:26 riz Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.12.2.6 2012/11/24 04:34:42 riz Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -27,27 +27,27 @@
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF device control.
+ *
  * Implementation of (re)loading, construction of tables and rules.
  * NPF proplib(9) dictionary consumer.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.5 2012/11/18 22:38:26 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.12.2.6 2012/11/24 04:34:42 riz Exp $");
 #include <sys/param.h>
 #include <sys/conf.h>
 #include <prop/proplib.h>
 #include "npf_ncode.h"
 #include "npf_impl.h"
 #if defined(DEBUG) || defined(DIAGNOSTIC)
 #define	NPF_ERR_DEBUG(e) \
 	prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \
 	prop_dictionary_set_uint32((e), "source-line", __LINE__);
 @@ -700,35 +700,44 @@ fail:
 		sess_htable_destroy(sehasht);
+	}
 	return error;
+}
 /*
  * npfctl_table: add, remove or query entries in the specified table.
+ *
  * For maximum performance, interface is avoiding proplib(3)'s overhead.
  */
 int
 npfctl_table(void *data)
+{
-	npf_ioctl_table_t *nct = data;
+	const npf_ioctl_table_t *nct = data;
 	npf_tableset_t *tblset;
 	int error;
 	npf_core_enter(); /* XXXSMP */
 	tblset = npf_core_tableset();
 	switch (nct->nct_action) {
 	case NPF_IOCTL_TBLENT_LOOKUP:
 		error = npf_table_lookup(tblset, nct->nct_tid,
 		    nct->nct_data.ent.alen, &nct->nct_data.ent.addr);
 	case NPF_IOCTL_TBLENT_ADD:
 		error = npf_table_insert(tblset, nct->nct_tid,
-		    nct->nct_alen, &nct->nct_addr, nct->nct_mask);
+		    nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
 		    nct->nct_data.ent.mask);
 		break;
 	case NPF_IOCTL_TBLENT_REM:
 		error = npf_table_remove(tblset, nct->nct_tid,
-		    nct->nct_alen, &nct->nct_addr, nct->nct_mask);
+		    nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
 		    nct->nct_data.ent.mask);
 		break;
 	case NPF_IOCTL_TBLENT_LIST:
 		error = npf_table_list(tblset, nct->nct_tid,
 		    nct->nct_data.buf.buf, nct->nct_data.buf.len);
 		break;
 	default:
-		error = npf_table_lookup(tblset, nct->nct_tid,
+		error = EINVAL;
-		    nct->nct_alen, &nct->nct_addr);
+		break;
+	}
 	npf_core_exit(); /* XXXSMP */
 	return error;
+}

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_impl.h,v 1.10.2.9 2012/11/18 22:38:26 riz Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.10.2.10 2012/11/24 04:34:42 riz Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -71,31 +71,29 @@
 struct npf_ruleset;
 struct npf_rule;
 struct npf_nat;
 struct npf_session;
 typedef struct npf_ruleset	npf_ruleset_t;
 typedef struct npf_rule		npf_rule_t;
 typedef struct npf_nat		npf_nat_t;
 typedef struct npf_alg		npf_alg_t;
 typedef struct npf_natpolicy	npf_natpolicy_t;
 typedef struct npf_session	npf_session_t;
 struct npf_sehash;
 struct npf_tblent;
 struct npf_table;
 typedef struct npf_sehash	npf_sehash_t;
 typedef struct npf_tblent	npf_tblent_t;
 typedef struct npf_table	npf_table_t;
 typedef npf_table_t *		npf_tableset_t;
 /*
  * DEFINITIONS.
  */
 typedef bool (*npf_algfunc_t)(npf_cache_t *, nbuf_t *, void *);
 #define	NPF_NCODE_LIMIT		1024
 #define	NPF_TABLE_SLOTS		32
 @@ -198,42 +196,39 @@ int		npf_match_udp_ports(npf_cache_t *,
 int		npf_match_icmp4(npf_cache_t *, nbuf_t *, void *, uint32_t);
 int		npf_match_icmp6(npf_cache_t *, nbuf_t *, void *, uint32_t);
 int		npf_match_tcpfl(npf_cache_t *, nbuf_t *, void *, uint32_t);
 /* Tableset interface. */
 void		npf_tableset_sysinit(void);
 void		npf_tableset_sysfini(void);
 const pt_tree_ops_t npf_table_ptree_ops;
 npf_tableset_t *npf_tableset_create(void);
 void		npf_tableset_destroy(npf_tableset_t *);
 int		npf_tableset_insert(npf_tableset_t *, npf_table_t *);
-npf_tableset_t *npf_tableset_reload(npf_tableset_t *);
+void		npf_tableset_reload(npf_tableset_t *, npf_tableset_t *);
 npf_table_t *	npf_table_create(u_int, int, size_t);
 void		npf_table_destroy(npf_table_t *);
 void		npf_table_ref(npf_table_t *);
 void		npf_table_unref(npf_table_t *);
 npf_table_t *	npf_table_get(npf_tableset_t *, u_int);
 void		npf_table_put(npf_table_t *);
 int		npf_table_check(const npf_tableset_t *, u_int, int);
 int		npf_table_insert(npf_tableset_t *, u_int,
 		    const int, const npf_addr_t *, const npf_netmask_t);
 int		npf_table_remove(npf_tableset_t *, u_int,
 		    const int, const npf_addr_t *, const npf_netmask_t);
 int		npf_table_lookup(npf_tableset_t *, u_int,
 		    const int, const npf_addr_t *);
 int		npf_table_list(npf_tableset_t *, u_int, void *, size_t);
 /* Ruleset interface. */
 npf_ruleset_t *	npf_ruleset_create(void);
 void		npf_ruleset_destroy(npf_ruleset_t *);
 void		npf_ruleset_insert(npf_ruleset_t *, npf_rule_t *);
 void		npf_ruleset_natreload(npf_ruleset_t *, npf_ruleset_t *);
 npf_rule_t *	npf_ruleset_matchnat(npf_ruleset_t *, npf_natpolicy_t *);
 npf_rule_t *	npf_ruleset_sharepm(npf_ruleset_t *, npf_natpolicy_t *);
 npf_rule_t *	npf_ruleset_replace(const char *, npf_ruleset_t *);
 void		npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
 npf_rule_t *	npf_ruleset_inspect(npf_cache_t *, nbuf_t *, npf_ruleset_t *,
 		    const ifnet_t *, const int, const int);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_state_tcp.c,v 1.3.2.5 2012/07/25 20:45:24 jdc Exp $	*/
+/*	$NetBSD: npf_state_tcp.c,v 1.3.2.6 2012/11/24 04:34:42 riz Exp $	*/
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -24,27 +24,27 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF TCP state engine for connection tracking.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.3.2.5 2012/07/25 20:45:24 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.3.2.6 2012/11/24 04:34:42 riz Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #ifndef _KERNEL
 #include <stdio.h>
 #include <stdbool.h>
 #include <inttypes.h>
 #endif
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_seq.h>
 @@ -84,26 +84,28 @@ static u_int npf_tcp_timeouts[] __read_m
 	[NPF_TCPS_ESTABLISHED]	= 60 * 60 * 24,
 	/* FIN seen: 4 minutes (2 * MSL). */
 	[NPF_TCPS_FIN_SENT]	= 60 * 2 * 2,
 	[NPF_TCPS_FIN_RECEIVED]	= 60 * 2 * 2,
 	/* Half-closed cases: 6 hours. */
 	[NPF_TCPS_CLOSE_WAIT]	= 60 * 60 * 6,
 	[NPF_TCPS_FIN_WAIT]	= 60 * 60 * 6,
 	/* Full close cases: 30 sec and 2 * MSL. */
 	[NPF_TCPS_CLOSING]	= 30,
 	[NPF_TCPS_LAST_ACK]	= 30,
 	[NPF_TCPS_TIME_WAIT]	= 60 * 2 * 2,
 };
 static bool npf_strict_order_rst __read_mostly = false;
 #define	NPF_TCP_MAXACKWIN	66000
 /*
  * List of TCP flag cases and conversion of flags to a case (index).
  */
 #define	TCPFC_INVALID		0
 #define	TCPFC_SYN		1
 #define	TCPFC_SYNACK		2
 #define	TCPFC_ACK		3
 #define	TCPFC_FIN		4
 #define	TCPFC_COUNT		5
 @@ -381,37 +383,40 @@ npf_tcp_inwindow(const npf_cache_t *npc,
 		if (tcpfl & TH_SYN) {
 			(void)npf_fetch_tcpopts(npc, nbuf, NULL,
 			    &fstate->nst_wscale);
+		}
+	}
 	if ((tcpfl & TH_ACK) == 0) {
 		/* Pretend that an ACK was sent. */
 		ack = tstate->nst_end;
 	} else if ((tcpfl & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST) && ack == 0) {
 		/* Workaround for some TCP stacks. */
 		ack = tstate->nst_end;
+	}
 	if (seq == end) {
-		/* If packet contains no data - assume it is valid. */
+	if (__predict_false(tcpfl & TH_RST)) {
-		end = fstate->nst_end;
+		/* RST to the initial SYN may have zero SEQ - fix it up. */
-		seq = end;
+		if (seq == 0 && nst->nst_state == NPF_TCPS_SYN_SENT) {
 			end = fstate->nst_end;
-#if 0
+			seq = end;
 	/* Strict in-order sequence for RST packets. */
 	if ((tcpfl & TH_RST) != 0 && (fstate->nst_end - seq) > 1) {
-		return false;
+		/* Strict in-order sequence for RST packets. */
 		if (npf_strict_order_rst && (fstate->nst_end - seq) > 1) {
 			return false;
+		}
+	}
 #endif
 	/*
 	 * Determine whether the data is within previously noted window,
 	 * that is, upper boundary for valid data (I).
 	 */
 	if (!SEQ_LEQ(end, fstate->nst_maxend)) {
 		npf_stats_inc(NPF_STAT_INVALID_STATE_TCP1);
 		return false;
+	}
 	/* Lower boundary (II), which is no more than one window back. */
 	if (!SEQ_GEQ(seq, fstate->nst_end - tstate->nst_maxwin)) {
 		npf_stats_inc(NPF_STAT_INVALID_STATE_TCP2);
 		return false;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_tableset.c,v 1.9.2.5 2012/08/13 17:49:52 riz Exp $	*/
+/*	$NetBSD: npf_tableset.c,v 1.9.2.6 2012/11/24 04:34:41 riz Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -22,74 +22,80 @@
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF tableset module.
+ *
- * TODO:
+ * Notes
  * - Dynamic hash growing/shrinking (i.e. re-hash functionality), maybe?
- * - Dynamic array resize.
+ *	The tableset is an array of tables.  After the creation, the array
  *	is immutable.  The caller is responsible to synchronise the access
  *	to the tableset.  The table can either be a hash or a tree.  Its
  *	entries are protected by a read-write lock.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9.2.5 2012/08/13 17:49:52 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9.2.6 2012/11/24 04:34:41 riz Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/atomic.h>
 #include <sys/hash.h>
 #include <sys/kmem.h>
 #include <sys/pool.h>
 #include <sys/queue.h>
 #include <sys/rwlock.h>
 #include <sys/systm.h>
 #include <sys/types.h>
 #include "npf_impl.h"
 /*
  * Table structures.
  */
-struct npf_tblent {
+typedef struct npf_tblent {
 	union {
 		LIST_ENTRY(npf_tblent) hashq;
 		pt_node_t	node;
 	} te_entry;
 	int			te_alen;
 	npf_addr_t		te_addr;
-};
+} npf_tblent_t;
 LIST_HEAD(npf_hashl, npf_tblent);
 struct npf_table {
 	char			t_name[16];
 	/* Lock and reference count. */
 	krwlock_t		t_lock;
 	u_int			t_refcnt;
 	/* Total number of items. */
 	u_int			t_nitems;
 	/* Table ID. */
 	u_int			t_id;
 	/* The storage type can be: a) hash b) tree. */
 	int			t_type;
 	struct npf_hashl *	t_hashl;
 	u_long			t_hashmask;
 	/* Separate trees for IPv4 and IPv6. */
 	pt_tree_t		t_tree[2];
 };
 #define	NPF_ADDRLEN2TREE(alen)	((alen) >> 4)
 static pool_cache_t		tblent_cache	__read_mostly;
 /*
  * npf_table_sysinit: initialise tableset structures.
  */
 void
 npf_tableset_sysinit(void)
+{
 @@ -116,56 +122,81 @@ npf_tableset_create(void)
 void
 npf_tableset_destroy(npf_tableset_t *tblset)
+{
 	const size_t sz = NPF_TABLE_SLOTS * sizeof(npf_table_t *);
 	npf_table_t *t;
 	u_int tid;
 	/*
 	 * Destroy all tables (no references should be held, as ruleset
 	 * should be destroyed before).
 	 */
 	for (tid = 0; tid < NPF_TABLE_SLOTS; tid++) {
 		t = tblset[tid];
-		if (t != NULL) {
+		if (t && --t->t_refcnt == 0) {
 			npf_table_destroy(t);
+		}
+	}
 	kmem_free(tblset, sz);
+}
 /*
  * npf_tableset_insert: insert the table into the specified tableset.
+ *
  * => Returns 0 on success.  Fails and returns error if ID is already used.
  */
 int
 npf_tableset_insert(npf_tableset_t *tblset, npf_table_t *t)
+{
 	const u_int tid = t->t_id;
 	int error;
 	KASSERT((u_int)tid < NPF_TABLE_SLOTS);
 	if (tblset[tid] == NULL) {
 		tblset[tid] = t;
 		t->t_refcnt++;
 		error = 0;
 	} else {
 		error = EEXIST;
+	}
 	return error;
+}
 /*
  * npf_tableset_reload: iterate all tables and if the new table is of the
  * same type and has no items, then we preserve the old one and its entries.
+ *
  * => The caller is responsible for providing synchronisation.
  */
 void
 npf_tableset_reload(npf_tableset_t *ntset, npf_tableset_t *otset)
+{
 	for (int i = 0; i < NPF_TABLE_SLOTS; i++) {
 		npf_table_t *t = ntset[i], *ot = otset[i];
 		if (t == NULL || ot == NULL) {
 			continue;
+		}
 		if (t->t_nitems || t->t_type != ot->t_type) {
 			continue;
+		}
 		ntset[i] = ot;
 		ot->t_refcnt++;
 		npf_table_destroy(t);
+	}
+}
 /*
  * Few helper routines.
  */
 static npf_tblent_t *
 table_hash_lookup(const npf_table_t *t, const npf_addr_t *addr,
     const int alen, struct npf_hashl **rhtbl)
+{
 	const uint32_t hidx = hash32_buf(addr, alen, HASH32_BUF_INIT);
 	struct npf_hashl *htbl = &t->t_hashl[hidx & t->t_hashmask];
 	npf_tblent_t *ent;
 	/*
 	 * Lookup the hash table and check for duplicates.
 @@ -218,141 +249,82 @@ npf_table_create(u_int tid, int type, si
 		break;
 	case NPF_TABLE_HASH:
 		t->t_hashl = hashinit(hsize, HASH_LIST, true, &t->t_hashmask);
 		if (t->t_hashl == NULL) {
 			kmem_free(t, sizeof(npf_table_t));
 			return NULL;
+		}
 		break;
 	default:
 		KASSERT(false);
+	}
 	rw_init(&t->t_lock);
 	t->t_type = type;
 	t->t_refcnt = 1;
 	t->t_id = tid;
 	return t;
+}
 /*
  * npf_table_destroy: free all table entries and table itself.
  */
 void
 npf_table_destroy(npf_table_t *t)
+{
 	switch (t->t_type) {
-	case NPF_TABLE_HASH: {
+	case NPF_TABLE_HASH:
 		for (unsigned n = 0; n <= t->t_hashmask; n++) {
 			npf_tblent_t *ent;
 			while ((ent = LIST_FIRST(&t->t_hashl[n])) != NULL) {
 				LIST_REMOVE(ent, te_entry.hashq);
 				pool_cache_put(tblent_cache, ent);
+			}
+		}
 		hashdone(t->t_hashl, HASH_LIST, t->t_hashmask);
 		break;
 	case NPF_TABLE_TREE:
 	case NPF_TABLE_TREE: {
 		table_tree_destroy(&t->t_tree[0]);
 		table_tree_destroy(&t->t_tree[1]);
 		break;
 	default:
 		KASSERT(false);
+	}
 	rw_destroy(&t->t_lock);
 	kmem_free(t, sizeof(npf_table_t));
+}
 /*
  * npf_table_ref: holds the reference on table.
  * => Table must be locked.
  */
 void
 npf_table_ref(npf_table_t *t)
 	KASSERT(rw_lock_held(&t->t_lock));
 	atomic_inc_uint(&t->t_refcnt);
 /*
  * npf_table_unref: drop reference from the table and destroy the table if
  * it is the last reference.
  */
 void
 npf_table_unref(npf_table_t *t)
 	if (atomic_dec_uint_nv(&t->t_refcnt) != 0) {
 		return;
 	npf_table_destroy(t);
 /*
  * npf_table_get: find the table according to ID and "get it" by locking it.
  */
 npf_table_t *
 npf_table_get(npf_tableset_t *tset, u_int tid)
 	npf_table_t *t;
 	KASSERT(tset != NULL);
 	if ((u_int)tid >= NPF_TABLE_SLOTS) {
 		return NULL;
 	t = tset[tid];
 	if (t != NULL) {
 		rw_enter(&t->t_lock, RW_READER);
 	return t;
 /*
  * npf_table_put: "put table back" by unlocking it.
  */
 void
 npf_table_put(npf_table_t *t)
 	rw_exit(&t->t_lock);
 /*
  * npf_table_check: validate ID and type.
  */
 int
 npf_table_check(const npf_tableset_t *tset, u_int tid, int type)
+{
 	if ((u_int)tid >= NPF_TABLE_SLOTS) {
 		return EINVAL;
+	}
 	if (tset[tid] != NULL) {
 		return EEXIST;
+	}
 	if (type != NPF_TABLE_TREE && type != NPF_TABLE_HASH) {
 		return EINVAL;
+	}
 	return 0;
+}
 static int
-npf_table_validate_cidr(const u_int aidx, const npf_addr_t *addr,
+table_cidr_check(const u_int aidx, const npf_addr_t *addr,
     const npf_netmask_t mask)
+{
 	if (mask > NPF_MAX_NETMASK && mask != NPF_NO_NETMASK) {
 		return EINVAL;
+	}
 	if (aidx > 1) {
 		return EINVAL;
+	}
 	/*
 	 * For IPv4 (aidx = 0) - 32 and for IPv6 (aidx = 1) - 128.
 	 * If it is a host - shall use NPF_NO_NETMASK.
 @@ -365,166 +337,250 @@ npf_table_validate_cidr(const u_int aidx
 /*
  * npf_table_insert: add an IP CIDR entry into the table.
  */
 int
 npf_table_insert(npf_tableset_t *tset, u_int tid, const int alen,
     const npf_addr_t *addr, const npf_netmask_t mask)
+{
 	const u_int aidx = NPF_ADDRLEN2TREE(alen);
 	npf_tblent_t *ent;
 	npf_table_t *t;
 	int error;
-	error = npf_table_validate_cidr(aidx, addr, mask);
+	if ((u_int)tid >= NPF_TABLE_SLOTS || (t = tset[tid]) == NULL) {
 		return EINVAL;
+	}
 	error = table_cidr_check(aidx, addr, mask);
 	if (error) {
 		return error;
+	}
 	ent = pool_cache_get(tblent_cache, PR_WAITOK);
 	memcpy(&ent->te_addr, addr, alen);
 	ent->te_alen = alen;
 	/* Get the table (acquire the lock). */
 	t = npf_table_get(tset, tid);
 	if (t == NULL) {
 		pool_cache_put(tblent_cache, ent);
 		return EINVAL;
 	/*
 	 * Insert the entry.  Return an error on duplicate.
 	 */
 	rw_enter(&t->t_lock, RW_WRITER);
 	switch (t->t_type) {
 	case NPF_TABLE_HASH: {
 		struct npf_hashl *htbl;
 		/*
 		 * Hash tables by the concept support only IPs.
 		 */
 		if (mask != NPF_NO_NETMASK) {
 			error = EINVAL;
 			break;
+		}
 		if (!table_hash_lookup(t, addr, alen, &htbl)) {
 			LIST_INSERT_HEAD(htbl, ent, te_entry.hashq);
 			t->t_nitems++;
 		} else {
 			error = EEXIST;
+		}
 		break;
+	}
 	case NPF_TABLE_TREE: {
 		pt_tree_t *tree = &t->t_tree[aidx];
 		bool ok;
 		/*
 		 * If no mask specified, use maximum mask.
 		 */
-		if (mask != NPF_NO_NETMASK) {
+		ok = (mask != NPF_NO_NETMASK) ?
-			ok = ptree_insert_mask_node(tree, ent, mask);
+		    ptree_insert_mask_node(tree, ent, mask) :
 		    ptree_insert_node(tree, ent);
 		if (ok) {
 			t->t_nitems++;
 			error = 0;
 		} else {
-			ok = ptree_insert_node(tree, ent);
+			error = EEXIST;
+		}
 		error = ok ? 0 : EEXIST;
 		break;
+	}
 	default:
 		KASSERT(false);
+	}
-	npf_table_put(t);
+	rw_exit(&t->t_lock);
 	if (error) {
 		pool_cache_put(tblent_cache, ent);
+	}
 	return error;
+}
 /*
  * npf_table_remove: remove the IP CIDR entry from the table.
  */
 int
 npf_table_remove(npf_tableset_t *tset, u_int tid, const int alen,
     const npf_addr_t *addr, const npf_netmask_t mask)
+{
 	const u_int aidx = NPF_ADDRLEN2TREE(alen);
 	npf_tblent_t *ent;
 	npf_table_t *t;
 	int error;
-	error = npf_table_validate_cidr(aidx, addr, mask);
+	error = table_cidr_check(aidx, addr, mask);
 	if (error) {
 		return error;
+	}
 	t = npf_table_get(tset, tid);
-	if (t == NULL) {
+	if ((u_int)tid >= NPF_TABLE_SLOTS || (t = tset[tid]) == NULL) {
 		return EINVAL;
+	}
 	rw_enter(&t->t_lock, RW_WRITER);
 	switch (t->t_type) {
 	case NPF_TABLE_HASH: {
 		struct npf_hashl *htbl;
 		ent = table_hash_lookup(t, addr, alen, &htbl);
 		if (__predict_true(ent != NULL)) {
 			LIST_REMOVE(ent, te_entry.hashq);
 			t->t_nitems--;
+		}
 		break;
+	}
 	case NPF_TABLE_TREE: {
 		pt_tree_t *tree = &t->t_tree[aidx];
 		ent = ptree_find_node(tree, addr);
 		if (__predict_true(ent != NULL)) {
 			ptree_remove_node(tree, ent);
 			t->t_nitems--;
+		}
 		break;
+	}
 	default:
 		KASSERT(false);
 		ent = NULL;
+	}
-	npf_table_put(t);
+	rw_exit(&t->t_lock);
 	if (ent == NULL) {
 		return ENOENT;
+	}
 	pool_cache_put(tblent_cache, ent);
 	return 0;
+}
 /*
  * npf_table_lookup: find the table according to ID, lookup and match
  * the contents with the specified IP address.
  */
 int
 npf_table_lookup(npf_tableset_t *tset, u_int tid,
     const int alen, const npf_addr_t *addr)
+{
 	const u_int aidx = NPF_ADDRLEN2TREE(alen);
 	npf_tblent_t *ent;
 	npf_table_t *t;
 	if (__predict_false(aidx > 1)) {
 		return EINVAL;
+	}
-	t = npf_table_get(tset, tid);
+	if ((u_int)tid >= NPF_TABLE_SLOTS || (t = tset[tid]) == NULL) {
 	if (__predict_false(t == NULL)) {
 		return EINVAL;
+	}
 	rw_enter(&t->t_lock, RW_READER);
 	switch (t->t_type) {
 	case NPF_TABLE_HASH: {
 		struct npf_hashl *htbl;
 		ent = table_hash_lookup(t, addr, alen, &htbl);
 		break;
+	}
 	case NPF_TABLE_TREE: {
 		ent = ptree_find_node(&t->t_tree[aidx], addr);
 		break;
+	}
 	default:
 		KASSERT(false);
 		ent = NULL;
+	}
-	npf_table_put(t);
+	rw_exit(&t->t_lock);
 	return ent ? 0 : ENOENT;
+}
 static int
 table_ent_copyout(npf_tblent_t *ent, npf_netmask_t mask,
     void *ubuf, size_t len, size_t *off)
+{
 	void *ubufp = (uint8_t *)ubuf + *off;
 	npf_ioctl_ent_t uent;
 	if ((*off += sizeof(npf_ioctl_ent_t)) > len) {
 		return ENOMEM;
+	}
 	uent.alen = ent->te_alen;
 	memcpy(&uent.addr, &ent->te_addr, sizeof(npf_addr_t));
 	uent.mask = mask;
 	return copyout(&uent, ubufp, sizeof(npf_ioctl_ent_t));
+}
 static int
 table_tree_list(pt_tree_t *tree, npf_netmask_t maxmask, void *ubuf,
     size_t len, size_t *off)
+{
 	npf_tblent_t *ent = NULL;
 	int error = 0;
 	while ((ent = ptree_iterate(tree, ent, PT_ASCENDING)) != NULL) {
 		pt_bitlen_t blen;
 		if (!ptree_mask_node_p(tree, ent, &blen)) {
 			blen = maxmask;
+		}
 		error = table_ent_copyout(ent, blen, ubuf, len, off);
 		if (error)
 			break;
+	}
 	return error;
+}
 /*
  * npf_table_list: copy a list of all table entries into a userspace buffer.
  */
 int
 npf_table_list(npf_tableset_t *tset, u_int tid, void *ubuf, size_t len)
+{
 	npf_table_t *t;
 	size_t off = 0;
 	int error = 0;
 	if ((u_int)tid >= NPF_TABLE_SLOTS || (t = tset[tid]) == NULL) {
 		return EINVAL;
+	}
 	rw_enter(&t->t_lock, RW_READER);
 	switch (t->t_type) {
 	case NPF_TABLE_HASH:
 		for (unsigned n = 0; n <= t->t_hashmask; n++) {
 			npf_tblent_t *ent;
 			LIST_FOREACH(ent, &t->t_hashl[n], te_entry.hashq)
 				if ((error = table_ent_copyout(ent, 0, ubuf,
 				    len, &off)) != 0)
 					break;
+		}
 		break;
 	case NPF_TABLE_TREE:
 		error = table_tree_list(&t->t_tree[0], 32, ubuf, len, &off);
 		if (error)
 			break;
 		error = table_tree_list(&t->t_tree[1], 128, ubuf, len, &off);
 		if (error)
 			break;
 	default:
 		KASSERT(false);
+	}
 	rw_exit(&t->t_lock);
 	return error;
+}

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_disassemble.c,v 1.3.2.7 2012/08/13 19:43:44 riz Exp $	*/
+/*	$NetBSD: npf_disassemble.c,v 1.3.2.8 2012/11/24 04:34:43 riz Exp $	*/
 /*-
  * Copyright (c) 2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This code is derived from software contributed to The NetBSD Foundation
  * by Christos Zoulas.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -25,27 +25,27 @@
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF n-code disassembler.
+ *
  * FIXME: config generation should be redesigned..
  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_disassemble.c,v 1.3.2.7 2012/08/13 19:43:44 riz Exp $");
+__RCSID("$NetBSD: npf_disassemble.c,v 1.3.2.8 2012/11/24 04:34:43 riz Exp $");
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
 #include <err.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #include <net/if.h>
 #include <util.h>
 @@ -654,70 +654,51 @@ npfctl_show_nat(nl_rule_t *nrl, unsigned
 	int type;
 	/* TODO: bi-NAT */
 	_npf_rule_getinfo(nrl, &rg.rg_name, &rg.rg_attr, &rg.rg_ifnum);
 	/* Get the interface, if any. */
 	char ifnamebuf[IFNAMSIZ], *ifname = NULL;
 	if (rg.rg_ifnum) {
 		ifname = if_indextoname(rg.rg_ifnum, ifnamebuf);
+	}
 	_npf_nat_getinfo(nt, &type, &flags, &taddr, &alen, &port);
-	struct sockaddr_storage ss;
+	char *taddrbuf, tportbuf[16];
 	char taddrbuf[64], tportbuf[16];
 	if (alen == 4) {
 		struct sockaddr_in *sin = (void *)&ss;
 		sin->sin_len = sizeof(*sin);
 		sin->sin_family = AF_INET;
 		sin->sin_port = 0;
 		memcpy(&sin->sin_addr, &taddr, sizeof(sin->sin_addr));
 		sockaddr_snprintf(taddrbuf, sizeof(taddrbuf),
 		    "%a", (struct sockaddr *)sin);
 	} else {
 		assert(alen == 16);
 		struct sockaddr_in6 *sin6 = (void *)&ss;
 		sin6->sin6_len = sizeof(*sin6);
 		sin6->sin6_family = AF_INET6;
 		sin6->sin6_port = 0;
 		memcpy(&sin6->sin6_addr, &taddr, sizeof(sin6->sin6_addr));
 		sockaddr_snprintf(taddrbuf, sizeof(taddrbuf),
 		    "%a", (struct sockaddr *)sin6);
 	taddrbuf = npfctl_print_addrmask(alen, &taddr, 0);
 	if (port) {
-		snprintf(tportbuf, sizeof(tportbuf),
+		snprintf(tportbuf, sizeof(tportbuf), " port %d", ntohs(port));
 		    " port %d", ntohs(port));
+	}
 	const char *seg1 = "any", *seg2 = "any", *sp1 = "", *sp2 = "", *mt;
 	switch (type) {
 	case NPF_NATIN:
 		mt = "<-";
 		seg1 = taddrbuf;
 		sp1 = port ? tportbuf : "";
 		break;
 	case NPF_NATOUT:
 		mt = "->";
 		seg2 = taddrbuf;
 		sp2 = port ? tportbuf : "";
 		break;
 	default:
 		assert(false);
+	}
 	printf("map %s dynamic %s%s %s %s%s pass ", ifname,
 	    seg1, sp1, mt, seg2, sp2);
 	free(taddrbuf);
 	const void *nc;
 	size_t nclen;
 	nc = _npf_rule_ncode(nrl, &nclen);
 	printf("%s\n", (!nc || !npfctl_show_ncode(nc, nclen)) ? " any " : "");
+}
 int
 npfctl_config_show(int fd)
+{
 	nl_config_t *ncf;
 	bool active, loaded;

 @@ -1,14 +1,14 @@
-.\"	$NetBSD: npfctl.8,v 1.6.6.2 2012/08/13 19:43:44 riz Exp $
+.\"	$NetBSD: npfctl.8,v 1.6.6.3 2012/11/24 04:34:43 riz Exp $
 .\"
 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
 .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 @@ -17,27 +17,27 @@
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 .\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 12, 2012
+.Dd November 15, 2012
 .Dt NPFCTL 8
 .Os
 .Sh NAME
 .Nm npfctl
 .Nd control NPF packet filter
 .Sh SYNOPSIS
 .Nm npfctl
 .Ar command
 .Op Ar arguments
 .\" -----
 .Sh DESCRIPTION
 The
 .Nm
 @@ -69,41 +69,48 @@ will lose NAT policy due to removal.
 NAT policy is determined by the translation type and address.
 Note that change of filter criteria will not expire associated sessions.
 The reload operation (i.e., replacing the ruleset, NAT policies and tables)
 is atomic.
 .It Ic flush
 Flush configuration.
 That is, remove all rules, tables and expire all sessions.
 This command does not disable packet inspection.
 .It Ic show
 Show the current state and configuration.
 Syntax of printed configuration is for the user and may not match the
 .Xr npf.conf 5
 syntax.
-.\".It Ic table Ar tid
+.It Ic table Ar tid Ic add Aq Ar addr/mask
 .\"List all entries in the currently loaded table specified by
 .\".Ar tid .
 .It Ic table Ar tid Ic [ add | rem ] Aq Ar addr/mask
 In table
 .Ar tid ,
-add or remove the IP address and optionally netmask, specified by
+add the IP address and optionally netmask, specified by
 .Aq Ar addr/mask .
 Only tree-type tables support masks.
 .It Ic table Ar tid Ic rem Aq Ar addr/mask
 In table
 .Ar tid ,
 remove the IP address and optionally netmask, specified by
 .Aq Ar addr/mask .
 Only tree-type tables support masks.
 .It Ic table Ar tid Ic test Aq Ar addr
 Query the table
 .Ar tid
 for a specific IP address, specified by
 .Ar addr .
 If no mask is specified, a single host is assumed.
 .It Ic table Ar tid Ic list
 List all entries in the currently loaded table specified by
 .Ar tid .
 This operation is expensive and should be used with caution.
 .It Ic sess-save
 Save all active sessions.
 The data will be stored in the
 .Pa /var/db/npf_sessions.db
 file.
 Administrator may want to stop the packet inspection before the
 session saving.
 .It Ic sess-load
 Load saved sessions from the file.
 Note that original configuration should be loaded before the session loading.
 In a case of NAT policy changes, sessions which lose an associated policy
 will not be loaded.
 Any existing sessions during the load operation will be expired.

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npfctl.c,v 1.10.2.7 2012/11/18 22:38:28 riz Exp $	*/
+/*	$NetBSD: npfctl.c,v 1.10.2.8 2012/11/24 04:34:43 riz Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -20,40 +20,42 @@
  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.10.2.7 2012/11/18 22:38:28 riz Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.10.2.8 2012/11/24 04:34:43 riz Exp $");
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <err.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
 #include <util.h>
 #include "npfctl.h"
 extern int		yylineno, yycolumn;
 extern const char *	yyfilename;
 extern int		yyparse(void);
 extern void		yyrestart(FILE *);
 enum {
 	NPFCTL_START,
 	NPFCTL_STOP,
 	NPFCTL_RELOAD,
 	NPFCTL_SHOWCONF,
 	NPFCTL_FLUSH,
 @@ -132,30 +134,30 @@ xstrndup(const char *s, size_t len)
 __dead static void
 usage(void)
+{
 	const char *progname = getprogname();
 	fprintf(stderr,
 	    "usage:\t%s [ start | stop | reload | flush | show | stats ]\n",
 	    progname);
 	fprintf(stderr,
 	    "\t%s ( sess-save | sess-load )\n",
 	    progname);
 	fprintf(stderr,
-	    "\t%s table <tid> [ flush ]\n",
+	    "\t%s table <tid> { add | rem | test } <address/mask>\n",
 	    progname);
 	fprintf(stderr,
-	    "\t%s table <tid> { add | rem | test } <address/mask>\n",
+	    "\t%s table <tid> { list | flush }\n",
 	    progname);
 	exit(EXIT_FAILURE);
+}
 static void
 npfctl_parsecfg(const char *cfg)
+{
 	FILE *fp;
 	fp = fopen(cfg, "r");
 	if (fp == NULL) {
 		err(EXIT_FAILURE, "open '%s'", cfg);
 @@ -245,82 +247,156 @@ npfctl_print_error(const nl_error_t *ne)
 	if (srcfile) {
 		warnx("source %s line %d", srcfile, ne->ne_source_line);
+	}
 	if (nc_err) {
 		warnx("n-code error (%d): %s at offset 0x%x",
 		    nc_err, ncode_errors[-nc_err], ne->ne_ncode_errat);
+	}
 	if (ne->ne_id) {
 		warnx("object: %d", ne->ne_id);
+	}
+}
 char *
 npfctl_print_addrmask(int alen, npf_addr_t *addr, npf_netmask_t mask)
+{
 	struct sockaddr_storage ss;
 	char *buf = zalloc(64);
 	int len;
 	switch (alen) {
 	case 4: {
 		struct sockaddr_in *sin = (void *)&ss;
 		sin->sin_len = sizeof(*sin);
 		sin->sin_family = AF_INET;
 		sin->sin_port = 0;
 		memcpy(&sin->sin_addr, addr, sizeof(sin->sin_addr));
 		break;
+	}
 	case 16: {
 		struct sockaddr_in6 *sin6 = (void *)&ss;
 		sin6->sin6_len = sizeof(*sin6);
 		sin6->sin6_family = AF_INET6;
 		sin6->sin6_port = 0;
 		memcpy(&sin6->sin6_addr, addr, sizeof(sin6->sin6_addr));
 		break;
+	}
 	default:
 		assert(false);
+	}
 	len = sockaddr_snprintf(buf, 64, "%a", (struct sockaddr *)&ss);
 	if (mask) {
 		snprintf(&buf[len], 64 - len, "/%u", mask);
+	}
 	return buf;
+}
 __dead static void
-npfctl_table(int fd, char **argv)
+npfctl_table(int fd, int argc, char **argv)
+{
 	static const struct tblops_s {
 		const char *	cmd;
 		int		action;
 	} tblops[] = {
-		{ "add",	NPF_IOCTL_TBLENT_ADD },
+		{ "add",	NPF_IOCTL_TBLENT_ADD		},
-		{ "rem",	NPF_IOCTL_TBLENT_REM },
+		{ "rem",	NPF_IOCTL_TBLENT_REM		},
-		{ "test",	0 },
+		{ "test",	NPF_IOCTL_TBLENT_LOOKUP		},
-		{ NULL,		0 }
+		{ "list",	NPF_IOCTL_TBLENT_LIST		},
 		{ NULL,		0				}
 	};
 	npf_ioctl_table_t nct;
 	fam_addr_mask_t fam;
-	char *cmd = argv[3];
+	size_t buflen = 512;
-	char *arg = argv[3];
+	char *cmd, *arg;
 	int n, alen;
 	/* Default action is list. */
 	memset(&nct, 0, sizeof(npf_ioctl_table_t));
-	nct.nct_tid = atoi(argv[2]);
+	nct.nct_tid = atoi(argv[0]);
 	cmd = argv[1];
 	for (n = 0; tblops[n].cmd != NULL; n++) {
-		if (strcmp(cmd, tblops[n].cmd) == 0) {
+		if (strcmp(cmd, tblops[n].cmd) != 0) {
-			nct.nct_action = tblops[n].action;
+			continue;
 			arg = argv[4];
-			break;
+		nct.nct_action = tblops[n].action;
 		break;
+	}
 	if (tblops[n].cmd == NULL) {
 		errx(EXIT_FAILURE, "invalid command '%s'", cmd);
+	}
 	if (nct.nct_action != NPF_IOCTL_TBLENT_LIST) {
 		if (argc < 3) {
 			usage();
+		}
 		arg = argv[2];
+	}
-	if (!npfctl_parse_cidr(arg, &fam, &alen)) {
+again:
-		errx(EXIT_FAILURE, "invalid CIDR '%s'", arg);
+	if (nct.nct_action == NPF_IOCTL_TBLENT_LIST) {
 		nct.nct_data.buf.buf = zalloc(buflen);
 		nct.nct_data.buf.len = buflen;
 	} else {
 		if (!npfctl_parse_cidr(arg, &fam, &alen)) {
 			errx(EXIT_FAILURE, "invalid CIDR '%s'", arg);
+		}
 		nct.nct_data.ent.alen = alen;
 		memcpy(&nct.nct_data.ent.addr, &fam.fam_addr, sizeof(npf_addr_t));
 		nct.nct_data.ent.mask = fam.fam_mask;
+	}
 	memcpy(&nct.nct_addr, &fam.fam_addr, sizeof(npf_addr_t));
 	nct.nct_mask = fam.fam_mask;
 	nct.nct_alen = alen;
 	if (ioctl(fd, IOC_NPF_TABLE, &nct) != -1) {
 		errno = 0;
+	}
 	switch (errno) {
-	case EEXIST:
+	case 0:
 		warnx("entry already exists or is conflicting");
 		break;
 	case EEXIST:
 		errx(EXIT_FAILURE, "entry already exists or is conflicting");
 	case ENOENT:
-		warnx("no matching entry was not found");
+		errx(EXIT_FAILURE, "no matching entry was not found");
 		break;
 	case EINVAL:
-		warnx("invalid address, mask or table ID");
+		errx(EXIT_FAILURE, "invalid address, mask or table ID");
-		break;
+	case ENOMEM:
-	case 0:
+		if (nct.nct_action == NPF_IOCTL_TBLENT_LIST) {
-		printf("%s: %s\n", getprogname(), nct.nct_action == 0 ?
+			/* XXX */
-		    "matching entry found" : "success");
+			free(nct.nct_data.buf.buf);
-		break;
+			buflen <<= 1;
 			goto again;
+		}
 		/* FALLTHROUGH */
 	default:
-		warn("error");
+		err(EXIT_FAILURE, "ioctl");
+	}
 	if (nct.nct_action == NPF_IOCTL_TBLENT_LIST) {
 		npf_ioctl_ent_t *ent = nct.nct_data.buf.buf;
 		char *buf;
 		while (nct.nct_data.buf.len--) {
 			if (!ent->alen)
 				break;
 			buf = npfctl_print_addrmask(ent->alen,
 			    &ent->addr, ent->mask);
 			puts(buf);
 			ent++;
+		}
 		free(nct.nct_data.buf.buf);
 	} else {
 		printf("%s: %s\n", getprogname(),
 		    nct.nct_action == NPF_IOCTL_TBLENT_LOOKUP ?
 		    "matching entry found" : "success");
+	}
-	exit(errno ? EXIT_FAILURE : EXIT_SUCCESS);
+	exit(EXIT_SUCCESS);
+}
 static void
 npfctl(int action, int argc, char **argv)
+{
 	int fd, ret, ver, boolval;
 	fd = open(NPF_DEV_PATH, O_RDONLY);
 	if (fd == -1) {
 		err(EXIT_FAILURE, "cannot open '%s'", NPF_DEV_PATH);
+	}
 	ret = ioctl(fd, IOC_NPF_VERSION, &ver);
 	if (ret == -1) {
 @@ -345,30 +421,31 @@ npfctl(int action, int argc, char **argv
 		npfctl_parsecfg(argc < 3 ? NPF_CONF_PATH : argv[2]);
 		ret = npfctl_config_send(fd, NULL);
 		if (ret) {
 			errx(EXIT_FAILURE, "ioctl: %s", strerror(ret));
+		}
 		break;
 	case NPFCTL_SHOWCONF:
 		ret = npfctl_config_show(fd);
 		break;
 	case NPFCTL_FLUSH:
 		ret = npf_config_flush(fd);
 		break;
 	case NPFCTL_TABLE:
-		if (argc < 5) {
+		if ((argc -= 2) < 2) {
 			usage();
+		}
-		npfctl_table(fd, argv);
+		argv += 2;
 		npfctl_table(fd, argc, argv);
 		break;
 	case NPFCTL_STATS:
 		ret = npfctl_print_stats(fd);
 		break;
 	case NPFCTL_SESSIONS_SAVE:
 		if (npf_sessions_recv(fd, NPF_SESSDB_PATH) != 0) {
 			errx(EXIT_FAILURE, "could not save sessions to '%s'",
 			    NPF_SESSDB_PATH);
+		}
 		break;
 	case NPFCTL_SESSIONS_LOAD:
 		if (npf_sessions_send(fd, NPF_SESSDB_PATH) != 0) {
 			errx(EXIT_FAILURE, "no sessions loaded from '%s'",

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_table_test.c,v 1.2.2.6 2012/11/18 21:48:56 riz Exp $	*/
+/*	$NetBSD: npf_table_test.c,v 1.2.2.7 2012/11/24 04:34:44 riz Exp $	*/
 /*
  * NPF tableset test.
+ *
  * Public Domain.
  */
 #include <sys/types.h>
 #include "npf_impl.h"
 #include "npf_test.h"
 static const char *ip_list[] = {
 @@ -34,39 +34,63 @@ static const uint16_t ip6_list[][8] = {
+	{
 	    htons(0xfe80), 0x0, 0x0, 0x0,
 x0, 0x0, 0x0, 0x0
 	},
+	{
 	    htons(0xfe80), 0x0, 0x0, 0x0,
 	    htons(0x2a0), htons(0xc0ff), htons(0xfe10), htons(0x1230)
+	}
 };
 #define	HASH_TID		1
 #define	TREE_TID		2
 static bool
 npf_table_test_fill4(npf_tableset_t *tblset, npf_addr_t *addr)
+{
 	const int alen = sizeof(struct in_addr);
 	const int nm = NPF_NO_NETMASK;
 	bool fail = false;
 	/* Fill both tables with IP addresses. */
 	for (unsigned i = 0; i < __arraycount(ip_list); i++) {
 		int error;
 		addr->s6_addr32[0] = inet_addr(ip_list[i]);
 		error = npf_table_insert(tblset, HASH_TID, alen, addr, nm);
 		fail |= !(error == 0);
 		error = npf_table_insert(tblset, HASH_TID, alen, addr, nm);
 		fail |= !(error != 0);
 		error = npf_table_insert(tblset, TREE_TID, alen, addr, nm);
 		fail |= !(error == 0);
 		error = npf_table_insert(tblset, TREE_TID, alen, addr, nm);
 		fail |= !(error != 0);
+	}
 	return fail;
+}
 bool
 npf_table_test(bool verbose)
+{
 	npf_addr_t addr_storage, *addr = &addr_storage;
 	const int nm = NPF_NO_NETMASK;
 	npf_tableset_t *tblset;
 	npf_table_t *t1, *t2;
 	int error, alen;
 	bool fail = false;
 	u_int i;
 	npf_tableset_sysinit();
 	tblset = npf_tableset_create();
 	fail |= !(tblset != NULL);
 	/* Table ID 1, using hash table with 256 lists. */
 	t1 = npf_table_create(HASH_TID, NPF_TABLE_HASH, 256);
 	fail |= !(t1 != NULL);
 	error = npf_tableset_insert(tblset, t1);
 	fail |= !(error == 0);
 	/* Check for double-insert. */
 	error = npf_tableset_insert(tblset, t1);
 	fail |= !(error != 0);
 @@ -77,59 +101,38 @@ npf_table_test(bool verbose)
 	fail |= !(error == 0);
 	/* Attempt to match non-existing entries - should fail. */
 	addr->s6_addr32[0] = inet_addr(ip_list[0]);
 	alen = sizeof(struct in_addr);
 	error = npf_table_lookup(tblset, HASH_TID, alen, addr);
 	fail |= !(error != 0);
 	error = npf_table_lookup(tblset, TREE_TID, alen, addr);
 	fail |= !(error != 0);
 	/* Fill both tables with IP addresses. */
-	for (i = 0; i < __arraycount(ip_list); i++) {
+	fail |= npf_table_test_fill4(tblset, addr);
 		addr->s6_addr32[0] = inet_addr(ip_list[i]);
 		error = npf_table_insert(tblset, HASH_TID, alen, addr, nm);
 		fail |= !(error == 0);
 		error = npf_table_insert(tblset, HASH_TID, alen, addr, nm);
 		fail |= !(error != 0);
 		error = npf_table_insert(tblset, TREE_TID, alen, addr, nm);
 		fail |= !(error == 0);
 		error = npf_table_insert(tblset, TREE_TID, alen, addr, nm);
 		fail |= !(error != 0);
 	/* Attempt to add duplicates - should fail. */
 	addr->s6_addr32[0] = inet_addr(ip_list[0]);
 	alen = sizeof(struct in_addr);
 	error = npf_table_insert(tblset, HASH_TID, alen, addr, nm);
 	fail |= !(error != 0);
 	error = npf_table_insert(tblset, TREE_TID, alen, addr, nm);
 	fail |= !(error != 0);
 	/* Reference checks. */
 	t1 = npf_table_get(tblset, HASH_TID);
 	fail |= !(t1 != NULL);
 	npf_table_put(t1);
 	t2 = npf_table_get(tblset, TREE_TID);
 	fail |= !(t2 != NULL);
 	npf_table_put(t2);
 	/* Match (validate) each IP entry. */
 	for (i = 0; i < __arraycount(ip_list); i++) {
 		addr->s6_addr32[0] = inet_addr(ip_list[i]);
 		error = npf_table_lookup(tblset, HASH_TID, alen, addr);
 		fail |= !(error == 0);
 		error = npf_table_lookup(tblset, TREE_TID, alen, addr);
 		fail |= !(error == 0);
+	}
 	/* IPv6 addresses. */
 	memcpy(addr, ip6_list[0], sizeof(ip6_list[0]));
 @@ -196,17 +199,16 @@ npf_table_test(bool verbose)
 	/* Remove all IPv4 entries. */
 	for (i = 0; i < __arraycount(ip_list); i++) {
 		addr->s6_addr32[0] = inet_addr(ip_list[i]);
 		error = npf_table_remove(tblset, HASH_TID, alen, addr, nm);
 		fail |= !(error == 0);
 		error = npf_table_remove(tblset, TREE_TID, alen, addr, nm);
 		fail |= !(error == 0);
+	}
 	npf_tableset_destroy(tblset);
 	npf_tableset_sysfini();
 	return !fail;
+}

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf.h,v 1.14.2.7 2012/11/18 22:38:26 riz Exp $	*/
+/*	$NetBSD: npf.h,v 1.14.2.8 2012/11/24 04:34:42 riz Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -35,27 +35,27 @@
 #ifndef _NPF_NET_H_
 #define _NPF_NET_H_
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <prop/proplib.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
-#define	NPF_VERSION		6
+#define	NPF_VERSION		7
 /*
  * Public declarations and definitions.
  */
 /* Storage of address (both for IPv4 and IPv6) and netmask */
 typedef struct in6_addr		npf_addr_t;
 typedef uint8_t			npf_netmask_t;
 #define	NPF_MAX_NETMASK		(128)
 #define	NPF_NO_NETMASK		((npf_netmask_t)~0)
 #if defined(_KERNEL)
 @@ -201,35 +201,49 @@ bool		npf_autounload_p(void);
 #define	NPF_TABLE_TREE			2
 /* Layers. */
 #define	NPF_LAYER_2			2
 #define	NPF_LAYER_3			3
 /* XXX mbuf.h: just for now. */
 #define	PACKET_TAG_NPF			10
 /*
  * IOCTL structures.
  */
 #define	NPF_IOCTL_TBLENT_LOOKUP		0
 #define	NPF_IOCTL_TBLENT_ADD		1
 #define	NPF_IOCTL_TBLENT_REM		2
 #define	NPF_IOCTL_TBLENT_LIST		3
 typedef struct npf_ioctl_ent {
 	int			alen;
 	npf_addr_t		addr;
 	npf_netmask_t		mask;
 } npf_ioctl_ent_t;
 typedef struct npf_ioctl_buf {
 	void *			buf;
 	size_t			len;
 } npf_ioctl_buf_t;
 typedef struct npf_ioctl_table {
 	int			nct_action;
 	u_int			nct_tid;
-	int			nct_alen;
+	union {
-	npf_addr_t		nct_addr;
+		npf_ioctl_ent_t	ent;
-	npf_netmask_t		nct_mask;
+		npf_ioctl_buf_t	buf;
 	} nct_data;
 } npf_ioctl_table_t;
 typedef enum {
 	/* Packets passed. */
 	NPF_STAT_PASS_DEFAULT,
 	NPF_STAT_PASS_RULESET,
 	NPF_STAT_PASS_SESSION,
 	/* Packets blocked. */
 	NPF_STAT_BLOCK_DEFAULT,
 	NPF_STAT_BLOCK_RULESET,
 	/* Session and NAT entries. */
 	NPF_STAT_SESSION_CREATE,
 	NPF_STAT_SESSION_DESTROY,

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npfctl.h,v 1.11.2.7 2012/11/18 22:38:27 riz Exp $	*/
+/*	$NetBSD: npfctl.h,v 1.11.2.8 2012/11/24 04:34:43 riz Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -86,26 +86,27 @@ typedef struct proc_call {
 typedef struct proc_param {
 	const char *	pp_param;
 	const char *	pp_value;
 } proc_param_t;
 void		yyerror(const char *, ...) __printflike(1, 2) __dead;
 void *		zalloc(size_t);
 void *		xrealloc(void *, size_t);
 char *		xstrdup(const char *);
 char *		xstrndup(const char *, size_t);
 void		npfctl_print_error(const nl_error_t *);
 char *		npfctl_print_addrmask(int, npf_addr_t *, npf_netmask_t);
 bool		npfctl_table_exists_p(const char *);
 int		npfctl_protono(const char *);
 in_port_t	npfctl_portno(const char *);
 uint8_t		npfctl_icmpcode(int, uint8_t, const char *);
 uint8_t		npfctl_icmptype(int, const char *);
 unsigned long   npfctl_find_ifindex(const char *);
 npfvar_t *	npfctl_parse_tcpflag(const char *);
 npfvar_t *	npfctl_parse_table_id(const char *);
 npfvar_t * 	npfctl_parse_icmp(int, int, int);
 npfvar_t *	npfctl_parse_iface(const char *);
 npfvar_t *	npfctl_parse_port_range(in_port_t, in_port_t);
 npfvar_t *	npfctl_parse_port_range_variable(const char *);
 npfvar_t *	npfctl_parse_fam_addr_mask(const char *, const char *,